Remote-access help into a 5505

Answered Question
Oct 2nd, 2008
User Badges:

Hi all. Needing some help with a remote-access into a 5505. I can vpn in just fine, I just cant seem to pass any traffic. When I do a "sho cryp ipsec sa", I see traffic being decrypted, but I do not see any traffic being encrypted back to me. I attached my config, could I get some help from you guys to see where I have gone wrong? I appreciate as always.




Attachment: 
Correct Answer by singhsaju about 8 years 8 months ago

The reason why it is happening is because the ASA also has one L2L tunnel and you are using same NAT 0 access-list for L2L tunnel as Crypto ACL also.


nat (inside) 0 access-list tocw

crypto map outside_map 10 match address tocw



so the traffic you are sending from vpn client is actually returning back to L2L tunnel .


Do the following:


Create separate access-list for L2L tunnel specifying traffic only specific to L2L tunnel.


you have to check remote side but i think your crypto acl for l2l tunnel would be

access-list VPNACL extended permit ip 192.168.201.0 255.255.255.0 192.168.73.0 255.255.255.0


no crypto map outside_map 10 match address tocw

crypto map outside_map 10 match address VPNACL



Your L2L tunnel will come down when you will make changes so make necessary arrangements.


Check and post results


HTH

Saju

Pls rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
singhsaju Thu, 10/02/2008 - 06:18
User Badges:
  • Silver, 250 points or more

The reason why it is happening is because the ASA also has one L2L tunnel and you are using same NAT 0 access-list for L2L tunnel as Crypto ACL also.


nat (inside) 0 access-list tocw

crypto map outside_map 10 match address tocw



so the traffic you are sending from vpn client is actually returning back to L2L tunnel .


Do the following:


Create separate access-list for L2L tunnel specifying traffic only specific to L2L tunnel.


you have to check remote side but i think your crypto acl for l2l tunnel would be

access-list VPNACL extended permit ip 192.168.201.0 255.255.255.0 192.168.73.0 255.255.255.0


no crypto map outside_map 10 match address tocw

crypto map outside_map 10 match address VPNACL



Your L2L tunnel will come down when you will make changes so make necessary arrangements.


Check and post results


HTH

Saju

Pls rate helpful posts

jjoseph01 Thu, 10/02/2008 - 06:32
User Badges:

I cant believe I didnt think of that. Thanks Saju. I appreciate it.

Actions

This Discussion